llm-proxy(app): gemma 反向代理 + token 鉴权 + /chat web UI

新 service，ns `llm-proxy`，域 `llm.famzheng.me`。 - POST /v1/chat/completions — OpenAI 兼容透传到 mochi 同款 backend gateway (gemma-4-31b-it)；一期强制 stream=false，SSE 留二期 - 鉴权: `Authorization: token <PROXY_AUTH_TOKEN>` 或同款 Bearer；常时间比较防 timing；空 expected 一律拒 - GET /chat — 自带极简 HTML chat UI（token 走 localStorage，附 curl example details）；/ 跳转到 /chat - Secrets `llm-proxy/proxy-credentials` 已 kubectl 手工创建： BACKEND_TOKEN (上游) + PROXY_AUTH_TOKEN (对外) - 13 个 cargo test 覆盖 auth 多个 scheme / 边界 + body 改写 (stream=false 强制注入)
2026-05-18 00:21:47 +01:00
parent 34fa47f95f
commit 857c0d5481
9 changed files with 673 additions and 0 deletions
@@ -0,0 +1,90 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: llm-proxy
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: llm-proxy
+  namespace: llm-proxy
+  labels:
+    app: llm-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: llm-proxy
+  template:
+    metadata:
+      labels:
+        app: llm-proxy
+    spec:
+      imagePullSecrets:
+        - name: registry-creds
+      containers:
+        - name: llm-proxy
+          image: registry.famzheng.me/mochi/llm-proxy:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8080
+              name: http
+          envFrom:
+            # secret `proxy-credentials` 由 kubectl 手工创建（BACKEND_TOKEN +
+            # PROXY_AUTH_TOKEN），不在 git manifest 里。
+            - secretRef:
+                name: proxy-credentials
+          env:
+            - name: LLM_GATEWAY
+              value: "http://3.135.65.204:8848/v1"
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 1
+            periodSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 15
+          resources:
+            requests:
+              cpu: 10m
+              memory: 16Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: llm-proxy
+  namespace: llm-proxy
+spec:
+  selector:
+    app: llm-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: llm-proxy
+  namespace: llm-proxy
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: llm.famzheng.me
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: llm-proxy
+                port:
+                  number: 80